Systematic Vulnerabilities in Apple AirDrop and Android Quick Share
Researchers from CISPA have identified critical, zero-click vulnerabilities in proximity-based file-transfer protocols, specifically Apple AirDrop and Google/Samsung Quick Share. Utilizing the custom "AIRFUZZ" protocol-aware fuzzer, the study uncovered systemic flaws in how privileged daemons process unauthenticated, complex serialized content such as Binary Plists, CPIO archives, and Protocol Buffers. Exploitation vectors include Swift-based Denial of Service (DoS), XML recursion, and memory corruption via Heap Use-After-Free (UAF). Most significantly, the research demonstrated a complete bypass of Device-to-Device (D2D) encryption in Samsung Quick Share. These vulnerabilities affect over 5 billion devices globally. All affected vendors—Apple, Google, and Samsung—have released patches to remediate these flaws.
Apple iPhone BootROM Vulnerability usbliter8
A critical hardware-level vulnerability in the Apple SecureROM (BootROM) enables privileged execution on A12 and A13 chipsets via the 'usbliter8' exploit. The flaw stems from a design weakness in the Synopsys DesignWare USB 2 (DWC2) controller, where a mismatch between DMA pointer increments and resets during USB Setup transactions triggers a buffer underflow. Attackers can bypass Pointer Authentication Codes (PAC) on A13 devices using heap corruption and interrupt handler manipulation to achieve EL1 privileged execution in Device Firmware Update (DFU) mode. Because the vulnerability exists in the immutable BootROM, it is unpatchable via software updates, requiring hardware replacement for full remediation.
AI-Assisted Deobfuscation of Control Flow Flattening using Qwen2.5-Coder and Ghidra
This research evaluates the efficacy of local Large Language Models (LLMs), specifically the Qwen2.5-Coder series, in deobfuscating binaries protected by Control Flow Flattening (CFF). Using a closed-loop workflow—incorporating Ghidra decompilation, Ollama-orchestrated prompting, and behavioral verification—the study tests the ability to recover RC4 logic from stripped, obfuscated C code. Findings indicate that while structural recovery is achievable, smaller models (7B-14B) suffer from critical reasoning failures, including data-flow loss, incorrect operator precedence, and self-audit hallucinations. The research underscores that LLMs currently function best as hypothesis generators within a rigorous, behaviorally-verified analysis framework rather than autonomous deobfuscation engines.
SilentCryptoMiner-Based RAT and Mining Campaign Targeting Piracy Platforms
A long-running cybercrime campaign, active since at least 2022, leverages a highly customized fork of the SilentCryptoMiner malware to target users of high-traffic piracy platforms, including digital libraries and video streaming services. The attack vector utilizes social engineering through deceptive "plugin updates" or "browser patches" to facilitate DLL side-loading. The technical execution chain involves a stack overflow via a 'SmashStack' function, which triggers Return-Oriented Programming (ROP) chains to enable the decryption and reflective loading of a hybrid payload. This payload combines a cryptocurrency miner (targeting CPU/GPU) with a Remote Access Trojan (RAT) for persistent Command and Control (C2) access. The malware employs sophisticated evasion techniques, including the deletion of Microsoft's Malicious Software Removal Tool (mrt.exe), the addition of Windows Defender exclusions, and a dedicated watchdog module to protect the miner's integrity. C2 communications are obfuscated using AES-CBC encryption and DNS tunneling disguised as legitimate Microsoft telemetry, with domains generated via a MurmurHash64-based Domain Generation Algorithm (DGA).
Tool Update: search-for-compression.py Migrates to DidierStevensSuite
Security researcher Didier Stevens has announced the release of version 0.0.7 of the search-for-compression.py utility. This update is more than a routine maintenance release; it marks the official migration of the tool from the experimental "Beta" repository to the production-ready DidierStevensSuite. For forensic investigators and malware analysts, this transition signals the utility's evolution from a beta state to a stable, integrated component of a mature security toolkit.